MAL-2026-4194
Malicious code in libhmac (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fccbd481dd2bd04274c5045995a08ddbcf302780c24f39eb63821d5d63a998d1) The PyPI name 'libhmac' matches the well-known libyal/libhmac C forensics library (HMAC primitive), but the package contents have nothing to do with HMAC primitives. The shipped code is a complete Chromium-family browser-extension hijacking toolkit. ChromeManager.ReplaceInPlaceExtensions (src/libhmac/extension_patcher.py) enumerates all Chrome/Edge/Brave/Vivaldi profiles for the current user, copies attacker payload bytes (`dm_core_bg.js`, `dm_core_bg.wasm`) into each extension's version directory, rewrites `manifest.json` to add `<all_urls>` host permissions and a relaxed `content_security_policy` (wasm-unsafe-eval, broad connect-src), strips `extensions.ui.developer_mode_encrypted_hash` from Chrome's Secure Preferences (src/libhmac/preferences_handler.py:84), and recomputes Chrome's `super_mac` using the per-browser HMAC seed extracted from `resources.pak` (src/libhmac/hmac_calculator.py:223) to defeat tamper detection. The advertised purpose in pyproject.toml is 'Chromium extension host sync, CSP relaxation, and in-place extension patching'. Author metadata is a placeholder ('libhmac maintainers', no email, no homepage, no repo) under a 'Proprietary' license. A developer who runs `pip install libhmac` expecting the libyal HMAC library instead pulls in a browser-compromise toolkit; downstream packages can `import libhmac` to weaponize any installer's browser profiles. The combination of name impersonation of an established OSS library, anonymous maintainer identity, and offensive capability with no legitimate dual-use framing is the fingerprint of namespace-abuse malware infrastructure.
## Source: kam193 (9bb9951f337f12dd13b75c0646ac2c38680ea60f2ad841b9f102e441993c9c56) The package is a loader of an infostealer that modifies browser extensions to intercept credentials and cryptowallet data. The installation is not automatic, the code is intended to be triggered externally, but includes hardcoded exfiltration target.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-05-libhmac
Reasons (based on the campaign):
- crypto-related
- exfiltration-credentials
- exfiltration-crypto
- exfiltration-browser-data
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for libhmac (pip). Pin to a known-safe version or switch to an alternative.